CVE-2013-1062

2013-10-0321:55:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2013-1062

ubuntu

system service

d-bus

polkit authority

access restrictions

5.9 Medium

AI Score

Confidence

Low

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

ubuntu-system-service 0.2.4 before 0.2.4.1. 0.2.3 before 0.2.3.1, and 0.2.2 before 0.2.2.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

CPENameOperatorVersion
canonical:ubuntu_linuxcanonical ubuntu linuxeq13.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.04
michael_vogt:ubuntu-system-servicemichael vogt ubuntu-system-serviceeq0.2.3
michael_vogt:ubuntu-system-servicemichael vogt ubuntu-system-serviceeq0.2.2
michael_vogt:ubuntu-system-servicemichael vogt ubuntu-system-serviceeq0.2.4

CPE	Name	Operator	Version
canonical:ubuntu_linux	canonical ubuntu linux	eq	13.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.04
michael_vogt:ubuntu-system-service	michael vogt ubuntu-system-service	eq	0.2.3
michael_vogt:ubuntu-system-service	michael vogt ubuntu-system-service	eq	0.2.2
michael_vogt:ubuntu-system-service	michael vogt ubuntu-system-service	eq	0.2.4